You are here

Configuring SSL on Weblogic 8.1

posted by admin
on Sat, 02/04/2012 - 15:50

If you're new to SSL, please read our SSL Overview. You may also find BEA documenation and BEA viewlet helpful. The information contained herein supplements BEA documentation, and answers some of the unanswered questions.

SSL installation on Weblogic 8.1 involves 4 main steps:

Obtain SSL Certificate from a trusted certificate authority.

Create Keystores

Configure Keystores through WebLogic Administrative Console

Configure SSL through Administrative Console

Obtain SSL Certificate
To setup SSL, the server needs a private key, a digital certificate containing the matching public key, and a certificate for at least one trusted certificate authority. To obtain a digital certificate from a trusted certificate authority, a Certificate Signing Request (CSR) must be generated. A Sun Microsystem provided keytool utility can be used to generate a CSR and a private key. The keytool utility is included with the Java SDK. The RSA algorithm must be used instead of default DSA algorithm, since WebLogic does not support DSA.

Replace the names enclosed in curly braces with your own names and pass phrases.

Submit the CSR to a certificate authority to obtain a SSL certificate. Please note that WebLogic server does NOT support the use of the DSA (Digital Signature Algorithm). When using the keytool utility, the default key pair generation algorithm is DSA. Specify RSA as the key pair generation and signature algorithm. WebLogic Server can use digital certificates in either PEM or DER format. Private key not stored in a keystore must be in PEM format.

Store the certificate files received from the certificate authority, and save it as .pem file.

Create Keystores
A keystore is a mechanism designed to create and manage private keys/digital certificate pairs and trusted CA certificates. Although a single keystore can be used to store both Identity and Trust, it is recommended that two separate keystores are used. The Identity keystore will store private key and digital certificate pairs for the server, while Trust keystore will store Trusted Certificate.

Important: The Identity keystore should have at least two certificates: (1) Server Certificate and Private Key pair, and (2) Root Certificate. The Trust keystore would have one trust certificate. The trust certificate may or may not be same as the root certificate. The root certificate is needed in Identity keystore in order to validate its certification via a certificate chaining. The root certificate and trust certificate will NOT have private keys.

Follow BEA documenatation & BEA Viewlet. It should be noted that the initial screen asks for Identity and Trust Keystore/PassPhrases, and upon submit it asks for Private Key PassPhrase. Make sure you enter a Private Key pass phrase rather than the Keystore Pass Phrase on the follow up screen.